The Commission adopted on 12 July 2016 its decision on the EU-U.S. Privacy Shield.
This new framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States as well as bringing legal clarity for businesses relying on transatlantic data transfers. The new arrangement includes:
- strong data protection obligations on companies receiving personal data from the EU
- safeguards on U.S. government access to data;
- effective protection and redress for individuals;
- annual joint review to monitor the implementation.
The new arrangement lives up to the requirements of the European Court of Justice. On 6 October 2015, the Court of Justice of the European Union had declared the Commission’s 2000 Decision on EU-US Safe Harbour invalid. So far, more than 1,900 companies have joined the scheme.
However, new rules were adopeted recently, which allow the US National Security Agency (NSA) to share private data with other US agencies without court oversight. Moreover, recent revelations about surveillance activities by a US electronic communications service provider and vacancies on US oversight bodies have brought about concerns raised by MEPs in a resolution passed on Thursday.
In the resolution, adopted by 306 votes to 240, with 40 abstentions, MEPs call on the EU Commission to conduct a proper assessment and ensure that the EU-US “Privacy Shield” for data transferred for commercial purposes provides enough personal data protection for EU citizens to comply with the EU Charter of Fundamental Rights and new EU data protection rules. The first annual review of the Privacy Shield framework is expected in September.
"This resolution aims to ensure that the Privacy Shield stands the test of time and that it does not suffer from critical weaknesses”, said Civil Liberties Committee Chair Claude Moraes (S&D, UK). “We acknowledge the significant improvements made compared to the former EU-US Safe Harbour, but there are clearly deficiencies that remain to be urgently resolved to provide legal certainty for the citizens and businesses that depend on this agreement”, he added.
MEPs are particularly worried about recent revelations about surveillance activities conducted by a US electronic communications service provider at the request of the NSA and FBI in 2015, one year after Presidential Policy Directive 28 limited the amount of data intelligence that can be collected and processed, new rules that from January 2017 allow the NSA to share vast amounts of private data, gathered without warrant, court orders or congressional authorisation, with 16 other agencies, including the FBI, the rejection of rules to protect the privacy of broadband customers by the Senate and the House of Representatives in March, which “ eliminates (…) rules that would have required internet service providers to get consumers’ explicit consent before selling or sharing web browsing data and other private information with advertisers and other private companies”, vacancies on the Privacy and Civil Liberties Oversight Board, which means that it lost its quorum on 7 January, making it more limited in its authority, while at the same time the Federal Trade Commission, which enforces the Privacy Shield, has three of its five seats vacant, insufficient independence of the Ombudsperson mechanism set up by the US Department of State plus the fact that the incoming US administration has not appointed a new Ombudsperson , and the fact that neither the Privacy Shield Principles nor letters from the US administration demonstrate the existence of effective judicial redress rights for EU individuals whose data are transferred to the US.